From c73b91680c4e7ccc9715c6d1dd5e8bdb6d9de4ef Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Sat, 17 Aug 2024 23:57:34 +0900
Subject: [PATCH] Support reproducible builds (except packages)

See docker-library/official-images issue 16044

- `SOURCE_DATE_EPOCH` is added.
  The value is consumed by the build scripts to make the binary reproducible.

- For Debian, `/var/log/*` is removed as they contain timestamps

- For Debian, `/var/cache/ldconfig/aux-cache` is removed as they contain inode numbers, etc.

- For Alpine, virtual package versions are pinned to "0" to eliminate
  the timestamp-based version numbers that appear in `/etc/apk/world` and `/lib/apk/db/installed`

- For Alpine, `/var/cache/fontconfig` is removed

> [!NOTE]
> The following topics are NOT covered by this commit:
>
> - To reproduce file timestamps in layers, BuildKit has to be executed with
>   `--output type=<TYPE>,rewrite-timestamp=true`.
>   Needs BuildKit v0.13 or later.
>
> - To reproduce the base image by the hash, reproducers may:
>   - modify the `FROM` instruction in Dockerfile manually
>   - or, use the `CONVERT` action of source policies to replace the base image.
>     <https://github.com/moby/buildkit/blob/v0.13.2/docs/build-repro.md>
>
> - To reproduce packages, see the `RUN` instruction hook proposed in
>   moby/buildkit issue 4576

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 Dockerfile.template                 | 20 +++++++++++++++-----
 beta/php8.1/apache/Dockerfile       | 10 +++++++++-
 beta/php8.1/fpm-alpine/Dockerfile   | 12 +++++++++---
 beta/php8.1/fpm/Dockerfile          | 10 +++++++++-
 beta/php8.2/apache/Dockerfile       | 10 +++++++++-
 beta/php8.2/fpm-alpine/Dockerfile   | 12 +++++++++---
 beta/php8.2/fpm/Dockerfile          | 10 +++++++++-
 beta/php8.3/apache/Dockerfile       | 10 +++++++++-
 beta/php8.3/fpm-alpine/Dockerfile   | 12 +++++++++---
 beta/php8.3/fpm/Dockerfile          | 10 +++++++++-
 cli/php8.1/alpine/Dockerfile        | 10 +++++++---
 cli/php8.2/alpine/Dockerfile        | 10 +++++++---
 cli/php8.3/alpine/Dockerfile        | 10 +++++++---
 latest/php8.1/apache/Dockerfile     | 10 +++++++++-
 latest/php8.1/fpm-alpine/Dockerfile | 12 +++++++++---
 latest/php8.1/fpm/Dockerfile        | 10 +++++++++-
 latest/php8.2/apache/Dockerfile     | 10 +++++++++-
 latest/php8.2/fpm-alpine/Dockerfile | 12 +++++++++---
 latest/php8.2/fpm/Dockerfile        | 10 +++++++++-
 latest/php8.3/apache/Dockerfile     | 10 +++++++++-
 latest/php8.3/fpm-alpine/Dockerfile | 12 +++++++++---
 latest/php8.3/fpm/Dockerfile        | 10 +++++++++-
 22 files changed, 198 insertions(+), 44 deletions(-)

diff --git a/Dockerfile.template b/Dockerfile.template
index 017f0ed466..5e5f493fed 100644
--- a/Dockerfile.template
+++ b/Dockerfile.template
@@ -4,6 +4,10 @@
 -}}
 FROM php:{{ env.phpVersion }}-{{ env.variant }}
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 {{ if env.version != "cli" then ( -}}
 # persistent dependencies
 {{ if is_alpine then ( -}}
@@ -15,7 +19,9 @@ RUN set -eux; \
 		ghostscript \
 # Alpine package for "imagemagick" contains ~120 .so files, see: https://github.com/docker-library/wordpress/pull/497
 		imagemagick \
-	;
+	; \
+# clean up for reproducibility
+	rm -rf /var/cache/fontconfig
 {{ ) else ( -}}
 RUN set -eux; \
 	apt-get update; \
@@ -23,7 +29,9 @@ RUN set -eux; \
 # Ghostscript is required for rendering PDF previews
 		ghostscript \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/* ; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 {{ ) end -}}
 {{ ) else ( -}}
 # install wp-cli dependencies
@@ -43,7 +51,7 @@ WORKDIR /var/www/html
 RUN set -ex; \
 	\
 {{ if is_alpine then ( -}}
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		$PHPIZE_DEPS \
 		freetype-dev \
 		icu-dev \
@@ -123,7 +131,7 @@ RUN set -ex; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .wordpress-phpexts-rundeps $runDeps; \
+	apk add --no-network --virtual .wordpress-phpexts-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 {{ ) else ( -}}
 # reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
@@ -139,6 +147,8 @@ RUN set -ex; \
 	\
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache; \
 {{ ) end -}}
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
@@ -247,7 +257,7 @@ ENV WORDPRESS_CLI_SHA512 {{ .sha512 }}
 
 RUN set -ex; \
 	\
-	apk add --no-cache --virtual .fetch-deps \
+	apk add --no-cache --virtual .fetch-deps=0 \
 		gnupg \
 	; \
 	\
diff --git a/beta/php8.1/apache/Dockerfile b/beta/php8.1/apache/Dockerfile
index c5ce92aaaf..145b8c2d8c 100644
--- a/beta/php8.1/apache/Dockerfile
+++ b/beta/php8.1/apache/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.1-apache
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,7 +17,9 @@ RUN set -eux; \
 # Ghostscript is required for rendering PDF previews
 		ghostscript \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/* ; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
@@ -81,6 +87,8 @@ RUN set -ex; \
 	\
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
 # check for output like "PHP Warning:  PHP Startup: Unable to load dynamic library 'foo' (tried: ...)
diff --git a/beta/php8.1/fpm-alpine/Dockerfile b/beta/php8.1/fpm-alpine/Dockerfile
index 865a9809b0..831e048aa6 100644
--- a/beta/php8.1/fpm-alpine/Dockerfile
+++ b/beta/php8.1/fpm-alpine/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.1-fpm-alpine
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -15,12 +19,14 @@ RUN set -eux; \
 		ghostscript \
 # Alpine package for "imagemagick" contains ~120 .so files, see: https://github.com/docker-library/wordpress/pull/497
 		imagemagick \
-	;
+	; \
+# clean up for reproducibility
+	rm -rf /var/cache/fontconfig
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		$PHPIZE_DEPS \
 		freetype-dev \
 		icu-dev \
@@ -75,7 +81,7 @@ RUN set -ex; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .wordpress-phpexts-rundeps $runDeps; \
+	apk add --no-network --virtual .wordpress-phpexts-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
diff --git a/beta/php8.1/fpm/Dockerfile b/beta/php8.1/fpm/Dockerfile
index 417f4aa558..38358fad2b 100644
--- a/beta/php8.1/fpm/Dockerfile
+++ b/beta/php8.1/fpm/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.1-fpm
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,7 +17,9 @@ RUN set -eux; \
 # Ghostscript is required for rendering PDF previews
 		ghostscript \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/* ; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
@@ -81,6 +87,8 @@ RUN set -ex; \
 	\
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
 # check for output like "PHP Warning:  PHP Startup: Unable to load dynamic library 'foo' (tried: ...)
diff --git a/beta/php8.2/apache/Dockerfile b/beta/php8.2/apache/Dockerfile
index d3ca7855d7..b789980fba 100644
--- a/beta/php8.2/apache/Dockerfile
+++ b/beta/php8.2/apache/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.2-apache
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,7 +17,9 @@ RUN set -eux; \
 # Ghostscript is required for rendering PDF previews
 		ghostscript \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/* ; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
@@ -81,6 +87,8 @@ RUN set -ex; \
 	\
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
 # check for output like "PHP Warning:  PHP Startup: Unable to load dynamic library 'foo' (tried: ...)
diff --git a/beta/php8.2/fpm-alpine/Dockerfile b/beta/php8.2/fpm-alpine/Dockerfile
index a456f3772d..6220a324b8 100644
--- a/beta/php8.2/fpm-alpine/Dockerfile
+++ b/beta/php8.2/fpm-alpine/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.2-fpm-alpine
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -15,12 +19,14 @@ RUN set -eux; \
 		ghostscript \
 # Alpine package for "imagemagick" contains ~120 .so files, see: https://github.com/docker-library/wordpress/pull/497
 		imagemagick \
-	;
+	; \
+# clean up for reproducibility
+	rm -rf /var/cache/fontconfig
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		$PHPIZE_DEPS \
 		freetype-dev \
 		icu-dev \
@@ -75,7 +81,7 @@ RUN set -ex; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .wordpress-phpexts-rundeps $runDeps; \
+	apk add --no-network --virtual .wordpress-phpexts-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
diff --git a/beta/php8.2/fpm/Dockerfile b/beta/php8.2/fpm/Dockerfile
index b566ab28f3..fb9a2a64e6 100644
--- a/beta/php8.2/fpm/Dockerfile
+++ b/beta/php8.2/fpm/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.2-fpm
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,7 +17,9 @@ RUN set -eux; \
 # Ghostscript is required for rendering PDF previews
 		ghostscript \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/* ; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
@@ -81,6 +87,8 @@ RUN set -ex; \
 	\
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
 # check for output like "PHP Warning:  PHP Startup: Unable to load dynamic library 'foo' (tried: ...)
diff --git a/beta/php8.3/apache/Dockerfile b/beta/php8.3/apache/Dockerfile
index cd0a5e8b7f..eaeeffceb7 100644
--- a/beta/php8.3/apache/Dockerfile
+++ b/beta/php8.3/apache/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.3-apache
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,7 +17,9 @@ RUN set -eux; \
 # Ghostscript is required for rendering PDF previews
 		ghostscript \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/* ; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
@@ -81,6 +87,8 @@ RUN set -ex; \
 	\
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
 # check for output like "PHP Warning:  PHP Startup: Unable to load dynamic library 'foo' (tried: ...)
diff --git a/beta/php8.3/fpm-alpine/Dockerfile b/beta/php8.3/fpm-alpine/Dockerfile
index 04b4d1c2ae..9382ea58b7 100644
--- a/beta/php8.3/fpm-alpine/Dockerfile
+++ b/beta/php8.3/fpm-alpine/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.3-fpm-alpine
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -15,12 +19,14 @@ RUN set -eux; \
 		ghostscript \
 # Alpine package for "imagemagick" contains ~120 .so files, see: https://github.com/docker-library/wordpress/pull/497
 		imagemagick \
-	;
+	; \
+# clean up for reproducibility
+	rm -rf /var/cache/fontconfig
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		$PHPIZE_DEPS \
 		freetype-dev \
 		icu-dev \
@@ -75,7 +81,7 @@ RUN set -ex; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .wordpress-phpexts-rundeps $runDeps; \
+	apk add --no-network --virtual .wordpress-phpexts-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
diff --git a/beta/php8.3/fpm/Dockerfile b/beta/php8.3/fpm/Dockerfile
index e9300dff15..7786457b84 100644
--- a/beta/php8.3/fpm/Dockerfile
+++ b/beta/php8.3/fpm/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.3-fpm
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,7 +17,9 @@ RUN set -eux; \
 # Ghostscript is required for rendering PDF previews
 		ghostscript \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/* ; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
@@ -81,6 +87,8 @@ RUN set -ex; \
 	\
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
 # check for output like "PHP Warning:  PHP Startup: Unable to load dynamic library 'foo' (tried: ...)
diff --git a/cli/php8.1/alpine/Dockerfile b/cli/php8.1/alpine/Dockerfile
index ee49be32f8..691e5bd36b 100644
--- a/cli/php8.1/alpine/Dockerfile
+++ b/cli/php8.1/alpine/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.1-alpine
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # install wp-cli dependencies
 RUN apk add --no-cache \
 # bash is needed for 'wp shell': https://github.com/wp-cli/shell-command/blob/b8dafcc2a2eba5732fdee70be077675a302848e9/src/WP_CLI/REPL.php#L104
@@ -21,7 +25,7 @@ WORKDIR /var/www/html
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		$PHPIZE_DEPS \
 		freetype-dev \
 		icu-dev \
@@ -76,7 +80,7 @@ RUN set -ex; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .wordpress-phpexts-rundeps $runDeps; \
+	apk add --no-network --virtual .wordpress-phpexts-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
@@ -113,7 +117,7 @@ ENV WORDPRESS_CLI_SHA512 adb12146bab8d829621efed41124dcd0012f9027f47e0228be70802
 
 RUN set -ex; \
 	\
-	apk add --no-cache --virtual .fetch-deps \
+	apk add --no-cache --virtual .fetch-deps=0 \
 		gnupg \
 	; \
 	\
diff --git a/cli/php8.2/alpine/Dockerfile b/cli/php8.2/alpine/Dockerfile
index 1bd85cfb68..9c62118e15 100644
--- a/cli/php8.2/alpine/Dockerfile
+++ b/cli/php8.2/alpine/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.2-alpine
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # install wp-cli dependencies
 RUN apk add --no-cache \
 # bash is needed for 'wp shell': https://github.com/wp-cli/shell-command/blob/b8dafcc2a2eba5732fdee70be077675a302848e9/src/WP_CLI/REPL.php#L104
@@ -21,7 +25,7 @@ WORKDIR /var/www/html
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		$PHPIZE_DEPS \
 		freetype-dev \
 		icu-dev \
@@ -76,7 +80,7 @@ RUN set -ex; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .wordpress-phpexts-rundeps $runDeps; \
+	apk add --no-network --virtual .wordpress-phpexts-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
@@ -113,7 +117,7 @@ ENV WORDPRESS_CLI_SHA512 adb12146bab8d829621efed41124dcd0012f9027f47e0228be70802
 
 RUN set -ex; \
 	\
-	apk add --no-cache --virtual .fetch-deps \
+	apk add --no-cache --virtual .fetch-deps=0 \
 		gnupg \
 	; \
 	\
diff --git a/cli/php8.3/alpine/Dockerfile b/cli/php8.3/alpine/Dockerfile
index d5df8ea6d6..d2b0f81e9d 100644
--- a/cli/php8.3/alpine/Dockerfile
+++ b/cli/php8.3/alpine/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.3-alpine
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # install wp-cli dependencies
 RUN apk add --no-cache \
 # bash is needed for 'wp shell': https://github.com/wp-cli/shell-command/blob/b8dafcc2a2eba5732fdee70be077675a302848e9/src/WP_CLI/REPL.php#L104
@@ -21,7 +25,7 @@ WORKDIR /var/www/html
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		$PHPIZE_DEPS \
 		freetype-dev \
 		icu-dev \
@@ -76,7 +80,7 @@ RUN set -ex; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .wordpress-phpexts-rundeps $runDeps; \
+	apk add --no-network --virtual .wordpress-phpexts-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
@@ -113,7 +117,7 @@ ENV WORDPRESS_CLI_SHA512 adb12146bab8d829621efed41124dcd0012f9027f47e0228be70802
 
 RUN set -ex; \
 	\
-	apk add --no-cache --virtual .fetch-deps \
+	apk add --no-cache --virtual .fetch-deps=0 \
 		gnupg \
 	; \
 	\
diff --git a/latest/php8.1/apache/Dockerfile b/latest/php8.1/apache/Dockerfile
index eb513e4e24..7cbc7677b8 100644
--- a/latest/php8.1/apache/Dockerfile
+++ b/latest/php8.1/apache/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.1-apache
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,7 +17,9 @@ RUN set -eux; \
 # Ghostscript is required for rendering PDF previews
 		ghostscript \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/* ; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
@@ -81,6 +87,8 @@ RUN set -ex; \
 	\
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
 # check for output like "PHP Warning:  PHP Startup: Unable to load dynamic library 'foo' (tried: ...)
diff --git a/latest/php8.1/fpm-alpine/Dockerfile b/latest/php8.1/fpm-alpine/Dockerfile
index 12d523ba1d..c83d6ffedc 100644
--- a/latest/php8.1/fpm-alpine/Dockerfile
+++ b/latest/php8.1/fpm-alpine/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.1-fpm-alpine
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -15,12 +19,14 @@ RUN set -eux; \
 		ghostscript \
 # Alpine package for "imagemagick" contains ~120 .so files, see: https://github.com/docker-library/wordpress/pull/497
 		imagemagick \
-	;
+	; \
+# clean up for reproducibility
+	rm -rf /var/cache/fontconfig
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		$PHPIZE_DEPS \
 		freetype-dev \
 		icu-dev \
@@ -75,7 +81,7 @@ RUN set -ex; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .wordpress-phpexts-rundeps $runDeps; \
+	apk add --no-network --virtual .wordpress-phpexts-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
diff --git a/latest/php8.1/fpm/Dockerfile b/latest/php8.1/fpm/Dockerfile
index 03d44e48cd..1443c0157e 100644
--- a/latest/php8.1/fpm/Dockerfile
+++ b/latest/php8.1/fpm/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.1-fpm
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,7 +17,9 @@ RUN set -eux; \
 # Ghostscript is required for rendering PDF previews
 		ghostscript \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/* ; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
@@ -81,6 +87,8 @@ RUN set -ex; \
 	\
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
 # check for output like "PHP Warning:  PHP Startup: Unable to load dynamic library 'foo' (tried: ...)
diff --git a/latest/php8.2/apache/Dockerfile b/latest/php8.2/apache/Dockerfile
index a67efd71dd..8ce67faded 100644
--- a/latest/php8.2/apache/Dockerfile
+++ b/latest/php8.2/apache/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.2-apache
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,7 +17,9 @@ RUN set -eux; \
 # Ghostscript is required for rendering PDF previews
 		ghostscript \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/* ; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
@@ -81,6 +87,8 @@ RUN set -ex; \
 	\
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
 # check for output like "PHP Warning:  PHP Startup: Unable to load dynamic library 'foo' (tried: ...)
diff --git a/latest/php8.2/fpm-alpine/Dockerfile b/latest/php8.2/fpm-alpine/Dockerfile
index 9e8c4093e2..15ab337a97 100644
--- a/latest/php8.2/fpm-alpine/Dockerfile
+++ b/latest/php8.2/fpm-alpine/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.2-fpm-alpine
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -15,12 +19,14 @@ RUN set -eux; \
 		ghostscript \
 # Alpine package for "imagemagick" contains ~120 .so files, see: https://github.com/docker-library/wordpress/pull/497
 		imagemagick \
-	;
+	; \
+# clean up for reproducibility
+	rm -rf /var/cache/fontconfig
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		$PHPIZE_DEPS \
 		freetype-dev \
 		icu-dev \
@@ -75,7 +81,7 @@ RUN set -ex; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .wordpress-phpexts-rundeps $runDeps; \
+	apk add --no-network --virtual .wordpress-phpexts-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
diff --git a/latest/php8.2/fpm/Dockerfile b/latest/php8.2/fpm/Dockerfile
index f3a9d06543..658dc979c1 100644
--- a/latest/php8.2/fpm/Dockerfile
+++ b/latest/php8.2/fpm/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.2-fpm
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,7 +17,9 @@ RUN set -eux; \
 # Ghostscript is required for rendering PDF previews
 		ghostscript \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/* ; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
@@ -81,6 +87,8 @@ RUN set -ex; \
 	\
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
 # check for output like "PHP Warning:  PHP Startup: Unable to load dynamic library 'foo' (tried: ...)
diff --git a/latest/php8.3/apache/Dockerfile b/latest/php8.3/apache/Dockerfile
index aa2c758199..8834362cef 100644
--- a/latest/php8.3/apache/Dockerfile
+++ b/latest/php8.3/apache/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.3-apache
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,7 +17,9 @@ RUN set -eux; \
 # Ghostscript is required for rendering PDF previews
 		ghostscript \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/* ; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
@@ -81,6 +87,8 @@ RUN set -ex; \
 	\
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
 # check for output like "PHP Warning:  PHP Startup: Unable to load dynamic library 'foo' (tried: ...)
diff --git a/latest/php8.3/fpm-alpine/Dockerfile b/latest/php8.3/fpm-alpine/Dockerfile
index 04ba455430..d1ffef12c7 100644
--- a/latest/php8.3/fpm-alpine/Dockerfile
+++ b/latest/php8.3/fpm-alpine/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.3-fpm-alpine
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -15,12 +19,14 @@ RUN set -eux; \
 		ghostscript \
 # Alpine package for "imagemagick" contains ~120 .so files, see: https://github.com/docker-library/wordpress/pull/497
 		imagemagick \
-	;
+	; \
+# clean up for reproducibility
+	rm -rf /var/cache/fontconfig
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		$PHPIZE_DEPS \
 		freetype-dev \
 		icu-dev \
@@ -75,7 +81,7 @@ RUN set -ex; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .wordpress-phpexts-rundeps $runDeps; \
+	apk add --no-network --virtual .wordpress-phpexts-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
diff --git a/latest/php8.3/fpm/Dockerfile b/latest/php8.3/fpm/Dockerfile
index df8fa2ba17..928e1af3ea 100644
--- a/latest/php8.3/fpm/Dockerfile
+++ b/latest/php8.3/fpm/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM php:8.3-fpm
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # persistent dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,7 +17,9 @@ RUN set -eux; \
 # Ghostscript is required for rendering PDF previews
 		ghostscript \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/* ; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # install the PHP extensions we need (https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions)
 RUN set -ex; \
@@ -81,6 +87,8 @@ RUN set -ex; \
 	\
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache; \
 	\
 	! { ldd "$extDir"/*.so | grep 'not found'; }; \
 # check for output like "PHP Warning:  PHP Startup: Unable to load dynamic library 'foo' (tried: ...)